xref: /openbsd-src/regress/lib/libtls/verify/verifytest.c (revision f23ec8ef09a476bb4856a1f7b837f6b12928102c) 
1*f23ec8efSbeck /*	$OpenBSD: verifytest.c,v 1.8 2023/05/28 09:02:01 beck Exp $	*/
2d49505fbSjsing /*
3d49505fbSjsing  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4d49505fbSjsing  *
5d49505fbSjsing  * Permission to use, copy, modify, and distribute this software for any
6d49505fbSjsing  * purpose with or without fee is hereby granted, provided that the above
7d49505fbSjsing  * copyright notice and this permission notice appear in all copies.
8d49505fbSjsing  *
9d49505fbSjsing  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10d49505fbSjsing  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11d49505fbSjsing  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12d49505fbSjsing  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13d49505fbSjsing  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14d49505fbSjsing  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15d49505fbSjsing  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16d49505fbSjsing  */
17d49505fbSjsing 
18d49505fbSjsing #include <err.h>
19d49505fbSjsing #include <stdio.h>
20d49505fbSjsing #include <stdlib.h>
21d49505fbSjsing 
22d49505fbSjsing #include <openssl/x509v3.h>
239a94eeb1Sbcook #include <tls.h>
24d49505fbSjsing 
2566b91627Sjsing extern int tls_check_name(struct tls *ctx, X509 *cert, const char *name,
2666b91627Sjsing     int *match);
2766b91627Sjsing 
2866b91627Sjsing struct alt_name {
2966b91627Sjsing 	const char name[128];
3066b91627Sjsing 	int name_len;
3166b91627Sjsing 	int name_type;
3266b91627Sjsing };
33d49505fbSjsing 
34d49505fbSjsing struct verify_test {
35d49505fbSjsing 	const char common_name[128];
3666b91627Sjsing 	int common_name_len;
3766b91627Sjsing 	struct alt_name alt_name1;
3866b91627Sjsing 	struct alt_name alt_name2;
3966b91627Sjsing 	struct alt_name alt_name3;
4087e8bad1Sbeck 	const char name[128];
4166b91627Sjsing 	int want_return;
4266b91627Sjsing 	int want_match;
43*f23ec8efSbeck 	int name_type;
44d49505fbSjsing };
45d49505fbSjsing 
46d49505fbSjsing struct verify_test verify_tests[] = {
47d49505fbSjsing 	{
4866b91627Sjsing 		/* CN without SANs - matching. */
49d49505fbSjsing 		.common_name = "www.openbsd.org",
5066b91627Sjsing 		.common_name_len = -1,
5187e8bad1Sbeck 		.name = "www.openbsd.org",
5266b91627Sjsing 		.want_return = 0,
5366b91627Sjsing 		.want_match = 1,
54d49505fbSjsing 	},
55d49505fbSjsing 	{
5666b91627Sjsing 		/* Zero length name - non-matching. */
57d49505fbSjsing 		.common_name = "www.openbsd.org",
5866b91627Sjsing 		.common_name_len = -1,
5987e8bad1Sbeck 		.name = "",
6066b91627Sjsing 		.want_return = 0,
6166b91627Sjsing 		.want_match = 0,
62d49505fbSjsing 	},
63d49505fbSjsing 	{
6466b91627Sjsing 		/* CN wildcard without SANs - matching. */
65d49505fbSjsing 		.common_name = "*.openbsd.org",
6666b91627Sjsing 		.common_name_len = -1,
6787e8bad1Sbeck 		.name = "www.openbsd.org",
6866b91627Sjsing 		.want_return = 0,
6966b91627Sjsing 		.want_match = 1,
70d49505fbSjsing 	},
71d49505fbSjsing 	{
7266b91627Sjsing 		/* CN without SANs - non-matching. */
73d49505fbSjsing 		.common_name = "www.openbsdfoundation.org",
7466b91627Sjsing 		.common_name_len = -1,
7587e8bad1Sbeck 		.name = "www.openbsd.org",
7666b91627Sjsing 		.want_return = 0,
7766b91627Sjsing 		.want_match = 0,
78d49505fbSjsing 	},
79d49505fbSjsing 	{
8066b91627Sjsing 		/* CN wildcard without SANs - invalid CN wildcard. */
81d49505fbSjsing 		.common_name = "w*.openbsd.org",
8266b91627Sjsing 		.common_name_len = -1,
8387e8bad1Sbeck 		.name = "www.openbsd.org",
8466b91627Sjsing 		.want_return = 0,
8566b91627Sjsing 		.want_match = 0,
86d49505fbSjsing 	},
87d49505fbSjsing 	{
8866b91627Sjsing 		/* CN wildcard without SANs - invalid CN wildcard. */
89d49505fbSjsing 		.common_name = "www.*.org",
9066b91627Sjsing 		.common_name_len = -1,
9187e8bad1Sbeck 		.name = "www.openbsd.org",
9266b91627Sjsing 		.want_return = 0,
9366b91627Sjsing 		.want_match = 0,
94d49505fbSjsing 	},
95d49505fbSjsing 	{
9666b91627Sjsing 		/* CN wildcard without SANs - invalid CN wildcard. */
97d49505fbSjsing 		.common_name = "www.openbsd.*",
9866b91627Sjsing 		.common_name_len = -1,
9987e8bad1Sbeck 		.name = "www.openbsd.org",
10066b91627Sjsing 		.want_return = 0,
10166b91627Sjsing 		.want_match = 0,
102d49505fbSjsing 	},
103d49505fbSjsing 	{
10466b91627Sjsing 		/* CN wildcard without SANs - invalid CN wildcard. */
105d49505fbSjsing 		.common_name = "*",
10666b91627Sjsing 		.common_name_len = -1,
10787e8bad1Sbeck 		.name = "www.openbsd.org",
10866b91627Sjsing 		.want_return = 0,
10966b91627Sjsing 		.want_match = 0,
110d49505fbSjsing 	},
111d49505fbSjsing 	{
11266b91627Sjsing 		/* CN wildcard without SANs - invalid CN wildcard. */
113d49505fbSjsing 		.common_name = "*.org",
11466b91627Sjsing 		.common_name_len = -1,
11587e8bad1Sbeck 		.name = "www.openbsd.org",
11666b91627Sjsing 		.want_return = 0,
11766b91627Sjsing 		.want_match = 0,
118d49505fbSjsing 	},
119d49505fbSjsing 	{
12066b91627Sjsing 		/* CN wildcard without SANs - invalid CN wildcard. */
121d49505fbSjsing 		.common_name = "*.org",
12266b91627Sjsing 		.common_name_len = -1,
12387e8bad1Sbeck 		.name = "openbsd.org",
12466b91627Sjsing 		.want_return = 0,
12566b91627Sjsing 		.want_match = 0,
126d49505fbSjsing 	},
127d49505fbSjsing 	{
12866b91627Sjsing 		/* CN IPv4 without SANs - matching. */
129d49505fbSjsing 		.common_name = "1.2.3.4",
13066b91627Sjsing 		.common_name_len = -1,
13187e8bad1Sbeck 		.name = "1.2.3.4",
13266b91627Sjsing 		.want_return = 0,
13366b91627Sjsing 		.want_match = 1,
134d49505fbSjsing 	},
135d49505fbSjsing 	{
13666b91627Sjsing 		/* CN IPv4 wildcard without SANS - invalid IP wildcard. */
137d49505fbSjsing 		.common_name = "*.2.3.4",
13866b91627Sjsing 		.common_name_len = -1,
13987e8bad1Sbeck 		.name = "1.2.3.4",
14066b91627Sjsing 		.want_return = 0,
14166b91627Sjsing 		.want_match = 0,
142d49505fbSjsing 	},
143d49505fbSjsing 	{
14466b91627Sjsing 		/* CN IPv6 without SANs - matching. */
145d49505fbSjsing 		.common_name = "cafe::beef",
14666b91627Sjsing 		.common_name_len = -1,
14787e8bad1Sbeck 		.name = "cafe::beef",
14866b91627Sjsing 		.want_return = 0,
14966b91627Sjsing 		.want_match = 1,
150d49505fbSjsing 	},
151d49505fbSjsing 	{
15266b91627Sjsing 		/* CN without SANs - error due to embedded NUL in CN. */
15366b91627Sjsing 		.common_name = {
15466b91627Sjsing 			0x77, 0x77, 0x77, 0x2e, 0x6f, 0x70, 0x65, 0x6e,
15566b91627Sjsing 			0x62, 0x73, 0x64, 0x2e, 0x6f, 0x72, 0x67, 0x00,
15666b91627Sjsing 			0x6e, 0x61, 0x73, 0x74, 0x79, 0x2e, 0x6f, 0x72,
15766b91627Sjsing 			0x67,
15866b91627Sjsing 		},
15966b91627Sjsing 		.common_name_len = 25,
16066b91627Sjsing 		.name = "www.openbsd.org",
16166b91627Sjsing 		.want_return = -1,
16266b91627Sjsing 		.want_match = 0,
16366b91627Sjsing 	},
16466b91627Sjsing 	{
16566b91627Sjsing 		/* CN wildcard without SANs - invalid non-matching name. */
16666b91627Sjsing 		.common_name = "*.openbsd.org",
16766b91627Sjsing 		.common_name_len = -1,
16866b91627Sjsing 		.name = ".openbsd.org",
16966b91627Sjsing 		.want_return = 0,
17066b91627Sjsing 		.want_match = 0,
17166b91627Sjsing 	},
17266b91627Sjsing 	{
17366b91627Sjsing 		/* CN with SANs - matching on first SAN. */
174d49505fbSjsing 		.common_name = "www.openbsd.org",
17566b91627Sjsing 		.common_name_len = -1,
17666b91627Sjsing 		.alt_name1 = {
17766b91627Sjsing 			.name = "www.openbsd.org",
17866b91627Sjsing 			.name_len = -1,
17966b91627Sjsing 			.name_type = GEN_DNS,
18066b91627Sjsing 		},
18166b91627Sjsing 		.alt_name2 = {
18287e8bad1Sbeck 			.name = "ftp.openbsd.org",
18366b91627Sjsing 			.name_len = -1,
18466b91627Sjsing 			.name_type = GEN_DNS,
185d49505fbSjsing 		},
18687e8bad1Sbeck 		.name = "www.openbsd.org",
18766b91627Sjsing 		.want_return = 0,
18866b91627Sjsing 		.want_match = 1,
189d49505fbSjsing 	},
190d49505fbSjsing 	{
19166b91627Sjsing 		/* SANs only - matching on first SAN. */
19266b91627Sjsing 		.common_name_len = 0,
19366b91627Sjsing 		.alt_name1 = {
19487e8bad1Sbeck 			.name = "www.openbsd.org",
19566b91627Sjsing 			.name_len = -1,
19666b91627Sjsing 			.name_type = GEN_DNS,
19766b91627Sjsing 		},
19866b91627Sjsing 		.alt_name2 = {
19966b91627Sjsing 			.name = "ftp.openbsd.org",
20066b91627Sjsing 			.name_len = -1,
20166b91627Sjsing 			.name_type = GEN_DNS,
20266b91627Sjsing 		},
20366b91627Sjsing 		.name = "www.openbsd.org",
20466b91627Sjsing 		.want_return = 0,
20566b91627Sjsing 		.want_match = 1,
206d49505fbSjsing 	},
207d49505fbSjsing 	{
20866b91627Sjsing 		/* SANs only - matching on second SAN. */
20966b91627Sjsing 		.common_name_len = 0,
21066b91627Sjsing 		.alt_name1 = {
21166b91627Sjsing 			.name = "www.openbsd.org",
21266b91627Sjsing 			.name_len = -1,
21366b91627Sjsing 			.name_type = GEN_DNS,
21466b91627Sjsing 		},
21566b91627Sjsing 		.alt_name2 = {
21666b91627Sjsing 			.name = "ftp.openbsd.org",
21766b91627Sjsing 			.name_len = -1,
21866b91627Sjsing 			.name_type = GEN_DNS,
21966b91627Sjsing 		},
22066b91627Sjsing 		.name = "ftp.openbsd.org",
22166b91627Sjsing 		.want_return = 0,
22266b91627Sjsing 		.want_match = 1,
22366b91627Sjsing 	},
22466b91627Sjsing 	{
22566b91627Sjsing 		/* SANs only - non-matching. */
22666b91627Sjsing 		.common_name_len = 0,
22766b91627Sjsing 		.alt_name1 = {
22866b91627Sjsing 			.name = "www.openbsd.org",
22966b91627Sjsing 			.name_len = -1,
23066b91627Sjsing 			.name_type = GEN_DNS,
23166b91627Sjsing 		},
23266b91627Sjsing 		.alt_name2 = {
23366b91627Sjsing 			.name = "ftp.openbsd.org",
23466b91627Sjsing 			.name_len = -1,
23566b91627Sjsing 			.name_type = GEN_DNS,
23666b91627Sjsing 		},
23766b91627Sjsing 		.name = "mail.openbsd.org",
23866b91627Sjsing 		.want_return = 0,
23966b91627Sjsing 		.want_match = 0,
24066b91627Sjsing 	},
24166b91627Sjsing 	{
24266b91627Sjsing 		/* CN with SANs - matching on second SAN. */
243d49505fbSjsing 		.common_name = "www.openbsd.org",
24466b91627Sjsing 		.common_name_len = -1,
24566b91627Sjsing 		.alt_name1 = {
24666b91627Sjsing 			.name = "www.openbsd.org",
24766b91627Sjsing 			.name_len = -1,
24866b91627Sjsing 			.name_type = GEN_DNS,
24966b91627Sjsing 		},
25066b91627Sjsing 		.alt_name2 = {
25166b91627Sjsing 			.name = "ftp.openbsd.org",
25266b91627Sjsing 			.name_len = -1,
25366b91627Sjsing 			.name_type = GEN_DNS,
25466b91627Sjsing 		},
25566b91627Sjsing 		.name = "ftp.openbsd.org",
25666b91627Sjsing 		.want_return = 0,
25766b91627Sjsing 		.want_match = 1,
25866b91627Sjsing 	},
25966b91627Sjsing 	{
26066b91627Sjsing 		/* CN with SANs - matching on wildcard second SAN. */
26166b91627Sjsing 		.common_name = "www.openbsdfoundation.org",
26266b91627Sjsing 		.common_name_len = -1,
26366b91627Sjsing 		.alt_name1 = {
26466b91627Sjsing 			.name = "www.openbsdfoundation.org",
26566b91627Sjsing 			.name_len = -1,
26666b91627Sjsing 			.name_type = GEN_DNS,
26766b91627Sjsing 		},
26866b91627Sjsing 		.alt_name2 = {
26966b91627Sjsing 			.name = "*.openbsd.org",
27066b91627Sjsing 			.name_len = -1,
27166b91627Sjsing 			.name_type = GEN_DNS,
27266b91627Sjsing 		},
27366b91627Sjsing 		.name = "www.openbsd.org",
27466b91627Sjsing 		.want_return = 0,
27566b91627Sjsing 		.want_match = 1,
27666b91627Sjsing 	},
27766b91627Sjsing 	{
27866b91627Sjsing 		/* CN with SANs - non-matching invalid wildcard. */
27966b91627Sjsing 		.common_name = "www.openbsdfoundation.org",
28066b91627Sjsing 		.common_name_len = -1,
28166b91627Sjsing 		.alt_name1 = {
28266b91627Sjsing 			.name = "www.openbsdfoundation.org",
28366b91627Sjsing 			.name_len = -1,
28466b91627Sjsing 			.name_type = GEN_DNS,
28566b91627Sjsing 		},
28666b91627Sjsing 		.alt_name2 = {
28766b91627Sjsing 			.name = "*.org",
28866b91627Sjsing 			.name_len = -1,
28966b91627Sjsing 			.name_type = GEN_DNS,
29066b91627Sjsing 		},
29166b91627Sjsing 		.name = "www.openbsd.org",
29266b91627Sjsing 		.want_return = 0,
29366b91627Sjsing 		.want_match = 0,
29466b91627Sjsing 	},
29566b91627Sjsing 	{
29666b91627Sjsing 		/* CN with SANs - non-matching IPv4 due to GEN_DNS SAN. */
29766b91627Sjsing 		.common_name = "www.openbsd.org",
29866b91627Sjsing 		.common_name_len = -1,
29966b91627Sjsing 		.alt_name1 = {
30066b91627Sjsing 			.name = "www.openbsd.org",
30166b91627Sjsing 			.name_len = -1,
30266b91627Sjsing 			.name_type = GEN_DNS,
30366b91627Sjsing 		},
30466b91627Sjsing 		.alt_name2 = {
30587e8bad1Sbeck 			.name = "1.2.3.4",
30666b91627Sjsing 			.name_len = -1,
30766b91627Sjsing 			.name_type = GEN_DNS,
308d49505fbSjsing 		},
30987e8bad1Sbeck 		.name = "1.2.3.4",
31066b91627Sjsing 		.want_return = 0,
31166b91627Sjsing 		.want_match = 0,
312d49505fbSjsing 	},
313d49505fbSjsing 	{
31466b91627Sjsing 		/* CN with SANs - matching IPv4 on GEN_IPADD SAN. */
315d49505fbSjsing 		.common_name = "www.openbsd.org",
31666b91627Sjsing 		.common_name_len = -1,
31766b91627Sjsing 		.alt_name1 = {
31866b91627Sjsing 			.name = "www.openbsd.org",
31966b91627Sjsing 			.name_len = -1,
32066b91627Sjsing 			.name_type = GEN_DNS,
32166b91627Sjsing 		},
32266b91627Sjsing 		.alt_name2 = {
32366b91627Sjsing 			.name = {0x01, 0x02, 0x03, 0x04},
32466b91627Sjsing 			.name_len = 4,
32566b91627Sjsing 			.name_type = GEN_IPADD,
32666b91627Sjsing 		},
32766b91627Sjsing 		.name = "1.2.3.4",
32866b91627Sjsing 		.want_return = 0,
32966b91627Sjsing 		.want_match = 1,
33066b91627Sjsing 	},
33166b91627Sjsing 	{
33266b91627Sjsing 		/* CN with SANs - matching IPv6 on GEN_IPADD SAN. */
33366b91627Sjsing 		.common_name = "www.openbsd.org",
33466b91627Sjsing 		.common_name_len = -1,
33566b91627Sjsing 		.alt_name1 = {
33666b91627Sjsing 			.name = "www.openbsd.org",
33766b91627Sjsing 			.name_len = -1,
33866b91627Sjsing 			.name_type = GEN_DNS,
33966b91627Sjsing 		},
34066b91627Sjsing 		.alt_name2 = {
34166b91627Sjsing 			.name = {
342d49505fbSjsing 				0xca, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
343d49505fbSjsing 				0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbe, 0xef,
344d49505fbSjsing 			},
34566b91627Sjsing 			.name_len = 16,
34666b91627Sjsing 			.name_type = GEN_IPADD,
34766b91627Sjsing 		},
34887e8bad1Sbeck 		.name = "cafe::beef",
34966b91627Sjsing 		.want_return = 0,
35066b91627Sjsing 		.want_match = 1,
351d49505fbSjsing 	},
352c9e28b3aSbeck 	{
35366b91627Sjsing 		/* CN with SANs - error due to embedded NUL in GEN_DNS. */
35466b91627Sjsing 		.common_name = "www.openbsd.org.nasty.org",
35566b91627Sjsing 		.common_name_len = -1,
35666b91627Sjsing 		.alt_name1 = {
35766b91627Sjsing 			.name = "www.openbsd.org.nasty.org",
35866b91627Sjsing 			.name_len = -1,
35966b91627Sjsing 			.name_type = GEN_DNS,
36066b91627Sjsing 		},
36166b91627Sjsing 		.alt_name2 = {
36266b91627Sjsing 			.name = {
36366b91627Sjsing 				0x77, 0x77, 0x77, 0x2e, 0x6f, 0x70, 0x65, 0x6e,
36466b91627Sjsing 				0x62, 0x73, 0x64, 0x2e, 0x6f, 0x72, 0x67, 0x00,
36566b91627Sjsing 				0x6e, 0x61, 0x73, 0x74, 0x79, 0x2e, 0x6f, 0x72,
36666b91627Sjsing 				0x67,
36766b91627Sjsing 			},
36866b91627Sjsing 			.name_len = 25,
36966b91627Sjsing 			.name_type = GEN_DNS,
37066b91627Sjsing 		},
37166b91627Sjsing 		.name = "www.openbsd.org",
37266b91627Sjsing 		.want_return = -1,
37366b91627Sjsing 		.want_match = 0,
37466b91627Sjsing 	},
37566b91627Sjsing 	{
37666b91627Sjsing 		/* CN with SAN - non-matching due to non-matching SAN. */
37766b91627Sjsing 		.common_name = "www.openbsd.org",
37866b91627Sjsing 		.common_name_len = -1,
37966b91627Sjsing 		.alt_name1 = {
38066b91627Sjsing 			.name = "ftp.openbsd.org",
38166b91627Sjsing 			.name_len = -1,
38266b91627Sjsing 			.name_type = GEN_DNS,
38366b91627Sjsing 		},
38466b91627Sjsing 		.name = "www.openbsd.org",
38566b91627Sjsing 		.want_return = 0,
38666b91627Sjsing 		.want_match = 0,
38766b91627Sjsing 	},
38866b91627Sjsing 	{
38966b91627Sjsing 		/* CN with SAN - error due to illegal dNSName. */
39066b91627Sjsing 		.common_name = "www.openbsd.org",
39166b91627Sjsing 		.common_name_len = -1,
39266b91627Sjsing 		.alt_name1 = {
39366b91627Sjsing 			.name = " ",
39466b91627Sjsing 			.name_len = -1,
39566b91627Sjsing 			.name_type = GEN_DNS,
39666b91627Sjsing 		},
39766b91627Sjsing 		.name = "www.openbsd.org",
39866b91627Sjsing 		.want_return = -1,
39966b91627Sjsing 		.want_match = 0,
400c9e28b3aSbeck 	},
401d49505fbSjsing };
402d49505fbSjsing 
403d49505fbSjsing #define N_VERIFY_TESTS \
404d49505fbSjsing     (sizeof(verify_tests) / sizeof(*verify_tests))
405d49505fbSjsing 
40666b91627Sjsing static void
alt_names_add(STACK_OF (GENERAL_NAME)* alt_name_stack,struct alt_name * alt)40766b91627Sjsing alt_names_add(STACK_OF(GENERAL_NAME) *alt_name_stack, struct alt_name *alt)
408d49505fbSjsing {
409d49505fbSjsing 	ASN1_STRING *alt_name_str;
410d49505fbSjsing 	GENERAL_NAME *alt_name;
411d49505fbSjsing 
412d49505fbSjsing 	if ((alt_name = GENERAL_NAME_new()) == NULL)
413d49505fbSjsing 		errx(1, "failed to malloc GENERAL_NAME");
41466b91627Sjsing 	alt_name->type = alt->name_type;
415d49505fbSjsing 
416d49505fbSjsing 	if ((alt_name_str = ASN1_STRING_new()) == NULL)
417d49505fbSjsing 		errx(1, "failed to malloc alt name");
41866b91627Sjsing 	if (ASN1_STRING_set(alt_name_str, alt->name, alt->name_len) == 0)
419d49505fbSjsing 		errx(1, "failed to set alt name");
420d49505fbSjsing 
421d49505fbSjsing 	switch (alt_name->type) {
422d49505fbSjsing 	case GEN_DNS:
423d49505fbSjsing 		alt_name->d.dNSName = alt_name_str;
424d49505fbSjsing 		break;
425d49505fbSjsing 	case GEN_IPADD:
426d49505fbSjsing 		alt_name->d.iPAddress = alt_name_str;
427d49505fbSjsing 		break;
428d49505fbSjsing 	default:
429d49505fbSjsing 		errx(1, "unknown alt name type (%i)", alt_name->type);
430d49505fbSjsing 	}
431d49505fbSjsing 
432d49505fbSjsing 	if (sk_GENERAL_NAME_push(alt_name_stack, alt_name) == 0)
433d49505fbSjsing 		errx(1, "failed to push alt_name");
43466b91627Sjsing }
43566b91627Sjsing 
43666b91627Sjsing static void
cert_add_alt_names(X509 * cert,struct verify_test * vt)43766b91627Sjsing cert_add_alt_names(X509 *cert, struct verify_test *vt)
43866b91627Sjsing {
43966b91627Sjsing 	STACK_OF(GENERAL_NAME) *alt_name_stack = NULL;
44066b91627Sjsing 
44166b91627Sjsing 	if (vt->alt_name1.name_type == 0)
44266b91627Sjsing 		return;
44366b91627Sjsing 
44466b91627Sjsing 	if ((alt_name_stack = sk_GENERAL_NAME_new_null()) == NULL)
44566b91627Sjsing 		errx(1, "failed to malloc sk_GENERAL_NAME");
44666b91627Sjsing 
44766b91627Sjsing 	if (vt->alt_name1.name_type != 0)
44866b91627Sjsing 		alt_names_add(alt_name_stack, &vt->alt_name1);
44966b91627Sjsing 	if (vt->alt_name2.name_type != 0)
45066b91627Sjsing 		alt_names_add(alt_name_stack, &vt->alt_name2);
45166b91627Sjsing 	if (vt->alt_name3.name_type != 0)
45266b91627Sjsing 		alt_names_add(alt_name_stack, &vt->alt_name3);
45366b91627Sjsing 
454d49505fbSjsing 	if (X509_add1_ext_i2d(cert, NID_subject_alt_name,
455d49505fbSjsing 	    alt_name_stack, 0, 0) == 0)
456d49505fbSjsing 		errx(1, "failed to set subject alt name");
45766b91627Sjsing 
458d49505fbSjsing 	sk_GENERAL_NAME_pop_free(alt_name_stack, GENERAL_NAME_free);
459d49505fbSjsing }
460d49505fbSjsing 
46166b91627Sjsing static int
do_verify_test(int test_no,struct verify_test * vt)46266b91627Sjsing do_verify_test(int test_no, struct verify_test *vt)
46366b91627Sjsing {
46466b91627Sjsing 	struct tls *tls;
46566b91627Sjsing 	X509_NAME *name;
46666b91627Sjsing 	X509 *cert;
46766b91627Sjsing 	int failed = 1;
46866b91627Sjsing 	int match;
46966b91627Sjsing 
47066b91627Sjsing 	/* Build certificate structure. */
47166b91627Sjsing 	if ((cert = X509_new()) == NULL)
47266b91627Sjsing 		errx(1, "failed to malloc X509");
47366b91627Sjsing 
47466b91627Sjsing 	if (vt->common_name_len != 0) {
47566b91627Sjsing 		if ((name = X509_NAME_new()) == NULL)
47666b91627Sjsing 			errx(1, "failed to malloc X509_NAME");
47766b91627Sjsing 		if (X509_NAME_add_entry_by_NID(name, NID_commonName,
478*f23ec8efSbeck 		    vt->name_type ? vt->name_type : MBSTRING_ASC,
479*f23ec8efSbeck 		    (unsigned char *)vt->common_name,
48066b91627Sjsing 		    vt->common_name_len, -1, 0) == 0)
48166b91627Sjsing 			errx(1, "failed to add name entry");
48266b91627Sjsing 		if (X509_set_subject_name(cert, name) == 0)
48366b91627Sjsing 			errx(1, "failed to set subject name");
48466b91627Sjsing 		X509_NAME_free(name);
485d49505fbSjsing 	}
486d49505fbSjsing 
48766b91627Sjsing 	if ((tls = tls_client()) == NULL)
48866b91627Sjsing 		errx(1, "failed to malloc tls_client");
48966b91627Sjsing 
49066b91627Sjsing 	cert_add_alt_names(cert, vt);
49166b91627Sjsing 
49266b91627Sjsing 	match = 1;
49366b91627Sjsing 
49466b91627Sjsing 	if (tls_check_name(tls, cert, vt->name, &match) != vt->want_return) {
49566b91627Sjsing 		fprintf(stderr, "FAIL: test %i failed for check name '%s': "
49666b91627Sjsing 		    "%s\n", test_no, vt->name, tls_error(tls));
49766b91627Sjsing 		goto done;
49866b91627Sjsing 	}
49966b91627Sjsing 	if (match != vt->want_match) {
50066b91627Sjsing 		fprintf(stderr, "FAIL: test %i failed to match name '%s'\n",
50166b91627Sjsing 		    test_no, vt->name);
50266b91627Sjsing 		goto done;
50366b91627Sjsing 	}
50466b91627Sjsing 
50566b91627Sjsing 	failed = 0;
50666b91627Sjsing 
50766b91627Sjsing  done:
508d49505fbSjsing 	X509_free(cert);
509ff3fecbbSjsing 	tls_free(tls);
510d49505fbSjsing 
51166b91627Sjsing 	return (failed);
512d49505fbSjsing }
513d49505fbSjsing 
514d49505fbSjsing int
main(int argc,char ** argv)515d49505fbSjsing main(int argc, char **argv)
516d49505fbSjsing {
517d49505fbSjsing 	int failed = 0;
518d49505fbSjsing 	size_t i;
519d49505fbSjsing 
520ff3fecbbSjsing 	tls_init();
521ff3fecbbSjsing 
522d49505fbSjsing 	for (i = 0; i < N_VERIFY_TESTS; i++)
523d49505fbSjsing 		failed += do_verify_test(i, &verify_tests[i]);
524d49505fbSjsing 
525d49505fbSjsing 	return (failed);
526d49505fbSjsing }
527